cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Connection to VPN server from Linux with SecureID

Jump to solution

Hi,

I have a customer who gave us access to their system using something some CheckPoint Software with SecureID (username and secureId, no Password as far as we understand). How can we connect to these system from Linux?

We could not find any VPN client for linux on CheckPoint website

It looks like we get secureId code using stoken software so that should be OK.

If going to their VPN server 87.238.64.1 then there is some login popup but they require some java plugins which are now deprecated in all existing browsers so this is not a working solution

The page also allows to start a program called snx

snx -h
Check Point's Linux SNX
build 800008061
usage: snx -s <server> {-u <user>|-c <certfile>} [-l <ca dir>] [-p <port>] [-r] [-g] [-e <cipher>]
                                run SNX using given arguments
       snx -f <cf>              run the snx using configuration file
       snx                      run the snx using the ~/.snxrc

       snx -d                   disconnect a running SNX daemon

        -s <server>           connect to server <server>
        -u <user>             use the username <user>
        -c <certfile>         use the certificate file <certfile>
        -l <ca dir>           get trusted ca's from <ca dir>
        -p <port>             connect using port <port>
        -g                    enable debugging
        -e <cipher>           SSL cipher to use: RC4 or 3DES

But snx does not seem to allow using securId authentication

We also tried the standard Linux cisco VPN client: openconnect but it fails with some error XML response has no "auth" node

Soft token init was successful.

Soft token init was successful.
POST https://87.238.64.1/
Attempting to connect to server 87.238.64.1:443
Connected to 87.238.64.1:443
SSL negotiation with 87.238.64.1
Server certificate verify failed: signer not found
Connected to HTTPS on 87.238.64.1
Got HTTP response: HTTP/1.0 404 Not Found
Date: Fri, 31 Aug 2018 13:47:25 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Last-Modified: Wed, 28 May 2014 09:11:07 GMT
Content-Length: 204
HTTP body length:  (204)
Unexpected 404 result from server
GET https://87.238.64.1/
Attempting to connect to server 87.238.64.1:443
Connected to 87.238.64.1:443
SSL negotiation with 87.238.64.1
Server certificate verify failed: signer not found
Connected to HTTPS on 87.238.64.1
Got HTTP response: HTTP/1.0 200 OK
Date: Fri, 31 Aug 2018 13:47:26 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Content-Length: 11788
HTTP body length:  (11788)
XML response has no "auth" node

So what is the official way to connect to a VPN server using securid from Linux?

1 Solution

Accepted Solutions
Admin
Admin

Re: Connection to VPN server from Linux with SecureID

Jump to solution

I read the internal comments in "Authentication failed" error presented when user tries to connect to site using SNX CLI mode in Lin..., and it turns out: the SK is correct.

Just to clarify for Olivier Roulet-Dubonnet‌:

  • If the customer is using Mobile Access Blade (which is sounds like they are), SNX via CLI is only supported on specific builds of the SNX client and specific versions of the gateway. Your customer will have to work with the local Check Point office for additional details and a possible RFE.
  • If the customer is NOT using Mobile Access Blade, then SNX over CLI is supported.

If the customer deploys the patches here, then you will be able to use the Mobile Access portal (but not the CLI) to connect: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology 

0 Kudos
16 Replies
Admin
Admin

Re: Connection to VPN server from Linux with SecureID

Jump to solution

The only supported VPN client on Linux is SNX, which does require Java, and yes, many browsers have deprecated support for this.

To activate SNX from the Mobile Access portal (which definitely supports SecurID), your customer should apply the fix described here: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology 

We do not support using the Cisco client to connect to our gateways.

0 Kudos

Re: Connection to VPN server from Linux with SecureID

Jump to solution

Hi,

Thanks for the quick answer.

What browser support Java these days?

And is there any way to user secureid from the snx command line? None of the options seems to indicate it, as seen in the output in report.

Thanks

Olivier

0 Kudos
Admin
Admin

Re: Connection to VPN server from Linux with SecureID

Jump to solution

I'm sure there is some browser out there that still supports it, but the common cross-platform ones do not Smiley Happy

Theoretically, you should just be able to use the PIN + SecurID token number as the password on the CLI.

If you require some other password to sign in in addition to this, then I'm afraid there is no way to do it using the CLI and you must authenticate using the Mobile Access Portal.

0 Kudos

Re: Connection to VPN server from Linux with SecureID

Jump to solution

Thank you again!

Pin + secureid on one line as password?

0 Kudos
Admin
Admin

Re: Connection to VPN server from Linux with SecureID

Jump to solution

Pretty sure that will work, as that's exactly how you would enter it in the browser.

0 Kudos

Re: Connection to VPN server from Linux with SecureID

Jump to solution

Hi,

unfortunately that does not work, it is also a bit surprising because If I try to log into the gui there is field called secureid. If I let the password empty and write the secureid number in the secureid field then I get a window telling me that I am connected (If I write my pin as password I get an access denied error). No VPN connection is created because I could not find any browser supporting java yet... but this really looks like my token and config is correct

So its looks like the web solution does not require any password/pin but if I run snx from command line I get access denied with PIN and PIN + tokenid and tokenid.... If the java stuff calles snx in the background thenhow is it sending the PIN? Can i emulate it using command line?

Olivier

0 Kudos

Re: Connection to VPN server from Linux with SecureID

Jump to solution
0 Kudos

Re: Connection to VPN server from Linux with SecureID

Jump to solution

Version is

snx ver

a username or a certificate were not supplied

Check Point's Linux SNX

build 800008061

That seems to be over the version adviced in this PR. Althoug there is not ver option

snx ver

a username or a certificate were not supplied

Check Point's Linux SNX

build 800008061

usage: snx -s ] [-e SSL cipher to use: RC4 or 3DES

0 Kudos

Re: Connection to VPN server from Linux with SecureID

Jump to solution

So you are using the wrong version and SNX CLI can not work 😞 The customer is using an unsupported SNX build for Linux CLI connection (not SNX build 800007075).

0 Kudos

Re: Connection to VPN server from Linux with SecureID

Jump to solution

OK. And where do I get that special version? You have a link above but I click on it it says:

"""

Symptoms
  • SSL Network Extender does not connect to Mobile Access blade via client CLI in Linux and Mac OS X.
Solution
To view this solution, Advanced access is required.
Click here to learn more about our Support Programs and Plans .

"""

The customer website https://87.238.64.1/ gives a link to download snx, why is this a non working version? And how can I get that working version?

Thank you

Olivier

0 Kudos

Re: Connection to VPN server from Linux with SecureID

Jump to solution

This can be accomplished by involving TAC!

0 Kudos
Admin
Admin

Re: Connection to VPN server from Linux with SecureID

Jump to solution

If you see more than one "password" prompt, it maybe that your customer has multifactor authentication enabled on the gateway.

If this is the case, the command line SNX client will not work (regardless of version) and your only option is to authenticate with a web browser.

As far as I know the functionality in that special version has been rolled into current versions anyway.

0 Kudos

Re: Connection to VPN server from Linux with SecureID

Jump to solution

Can you get that confirmed ? If this is true, sk115242 should be changed.

0 Kudos
Admin
Admin

Re: Connection to VPN server from Linux with SecureID

Jump to solution

Probably worth a comment in the SK.

I'll ask.

0 Kudos
Highlighted

Re: Connection to VPN server from Linux with SecureID

Jump to solution

Yes, especially as sk115242 speaks of RFE 😉

0 Kudos
Admin
Admin

Re: Connection to VPN server from Linux with SecureID

Jump to solution

I read the internal comments in "Authentication failed" error presented when user tries to connect to site using SNX CLI mode in Lin..., and it turns out: the SK is correct.

Just to clarify for Olivier Roulet-Dubonnet‌:

  • If the customer is using Mobile Access Blade (which is sounds like they are), SNX via CLI is only supported on specific builds of the SNX client and specific versions of the gateway. Your customer will have to work with the local Check Point office for additional details and a possible RFE.
  • If the customer is NOT using Mobile Access Blade, then SNX over CLI is supported.

If the customer deploys the patches here, then you will be able to use the Mobile Access portal (but not the CLI) to connect: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology 

0 Kudos